[selinux-policy: 2644/3172] Devicekit patch from Dan Walsh.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:55:06 UTC 2010
commit 61738f11ec23f14a1b58522b4859a0f83a6571a6
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon May 3 09:01:46 2010 -0400
Devicekit patch from Dan Walsh.
policy/modules/services/devicekit.fc | 8 +++-
policy/modules/services/devicekit.if | 4 +-
policy/modules/services/devicekit.te | 95 ++++++++++++++++++++++++++++-----
3 files changed, 89 insertions(+), 18 deletions(-)
---
diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc
index 73a06f7..418a5a0 100644
--- a/policy/modules/services/devicekit.fc
+++ b/policy/modules/services/devicekit.fc
@@ -1,8 +1,14 @@
/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
-/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
index 5be015a..f706b99 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -139,7 +139,7 @@ interface(`devicekit_read_pid_files',`
########################################
## <summary>
-## All of the rules required to administrate
+## All of the rules required to administrate
## an devicekit environment
## </summary>
## <param name="domain">
@@ -162,7 +162,7 @@ interface(`devicekit_read_pid_files',`
interface(`devicekit_admin',`
gen_require(`
type devicekit_t, devicekit_disk_t, devicekit_power_t;
- type devicekit_var_run_t;
+ type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
allow $1 devicekit_t:process { ptrace signal_perms getattr };
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index 5d673bc..0d5e1a9 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.0.0)
+policy_module(devicekit, 1.0.1)
########################################
#
@@ -37,6 +37,8 @@ manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
files_pid_filetrans(devicekit_t, devicekit_var_run_t, { file dir })
+kernel_read_system_state(devicekit_t)
+
dev_read_sysfs(devicekit_t)
dev_read_urand(devicekit_t)
@@ -60,8 +62,10 @@ optional_policy(`
# DeviceKit disk local policy
#
-allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
@@ -71,29 +75,60 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
+manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
+manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
+files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir })
+
+kernel_getattr_message_if(devicekit_disk_t)
+kernel_read_fs_sysctls(devicekit_disk_t)
+kernel_read_network_state(devicekit_disk_t)
kernel_read_software_raid_state(devicekit_disk_t)
+kernel_read_system_state(devicekit_disk_t)
+kernel_request_load_module(devicekit_disk_t)
kernel_setsched(devicekit_disk_t)
corecmd_exec_bin(devicekit_disk_t)
+corecmd_exec_shell(devicekit_disk_t)
+corecmd_getattr_all_executables(devicekit_disk_t)
dev_rw_sysfs(devicekit_disk_t)
dev_read_urand(devicekit_disk_t)
dev_getattr_usbfs_dirs(devicekit_disk_t)
-
+dev_manage_generic_files(devicekit_disk_t)
+dev_getattr_all_chr_files(devicekit_disk_t)
+dev_getattr_mtrr_dev(devicekit_disk_t)
+
+domain_getattr_all_pipes(devicekit_disk_t)
+domain_getattr_all_sockets(devicekit_disk_t)
+domain_getattr_all_stream_sockets(devicekit_disk_t)
+domain_read_all_domains_state(devicekit_disk_t)
+
+files_dontaudit_read_all_symlinks(devicekit_disk_t)
+files_getattr_all_sockets(devicekit_disk_t)
+files_getattr_all_mountpoints(devicekit_disk_t)
+files_getattr_all_files(devicekit_disk_t)
+files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
files_read_etc_files(devicekit_disk_t)
files_read_etc_runtime_files(devicekit_disk_t)
files_read_usr_files(devicekit_disk_t)
+fs_list_inotifyfs(devicekit_disk_t)
+fs_manage_fusefs_dirs(devicekit_disk_t)
fs_mount_all_fs(devicekit_disk_t)
fs_unmount_all_fs(devicekit_disk_t)
-fs_manage_fusefs_dirs(devicekit_disk_t)
+fs_search_all(devicekit_disk_t)
+
+mls_file_read_all_levels(devicekit_disk_t)
+mls_file_write_to_clearance(devicekit_disk_t)
storage_raw_read_fixed_disk(devicekit_disk_t)
storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
+term_use_all_terms(devicekit_disk_t)
+
auth_use_nsswitch(devicekit_disk_t)
miscfiles_read_localization(devicekit_disk_t)
@@ -102,6 +137,16 @@ userdom_read_all_users_state(devicekit_disk_t)
userdom_search_user_home_dirs(devicekit_disk_t)
optional_policy(`
+ dbus_system_bus_client(devicekit_disk_t)
+
+ allow devicekit_disk_t devicekit_t:dbus send_msg;
+
+ optional_policy(`
+ consolekit_dbus_chat(devicekit_disk_t)
+ ')
+')
+
+optional_policy(`
fstools_domtrans(devicekit_disk_t)
')
@@ -110,28 +155,27 @@ optional_policy(`
')
optional_policy(`
+ mount_domtrans(devicekit_disk_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(devicekit_disk_t)
policykit_domtrans_auth(devicekit_disk_t)
policykit_read_lib(devicekit_disk_t)
policykit_read_reload(devicekit_disk_t)
')
optional_policy(`
- mount_domtrans(devicekit_disk_t)
+ raid_domtrans_mdadm(devicekit_disk_t)
')
optional_policy(`
- dbus_system_bus_client(devicekit_disk_t)
-
- allow devicekit_disk_t devicekit_t:dbus send_msg;
-
- optional_policy(`
- consolekit_dbus_chat(devicekit_disk_t)
- ')
+ udev_domtrans(devicekit_disk_t)
+ udev_read_db(devicekit_disk_t)
')
optional_policy(`
- udev_domtrans(devicekit_disk_t)
- udev_read_db(devicekit_disk_t)
+ virt_manage_images(devicekit_disk_t)
')
########################################
@@ -139,9 +183,11 @@ optional_policy(`
# DeviceKit-Power local policy
#
-allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice sys_ptrace };
+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
+allow devicekit_power_t self:process getsched;
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
+allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
@@ -151,6 +197,8 @@ kernel_read_network_state(devicekit_power_t)
kernel_read_system_state(devicekit_power_t)
kernel_rw_hotplug_sysctls(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
+kernel_search_debugfs(devicekit_power_t)
+kernel_write_proc_files(devicekit_power_t)
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
@@ -159,7 +207,9 @@ consoletype_exec(devicekit_power_t)
domain_read_all_domains_state(devicekit_power_t)
+dev_read_input(devicekit_power_t)
dev_rw_generic_usb_dev(devicekit_power_t)
+dev_rw_generic_chr_files(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
@@ -167,12 +217,17 @@ files_read_kernel_img(devicekit_power_t)
files_read_etc_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
+fs_list_inotifyfs(devicekit_power_t)
+
term_use_all_terms(devicekit_power_t)
auth_use_nsswitch(devicekit_power_t)
miscfiles_read_localization(devicekit_power_t)
+sysnet_read_config(devicekit_power_t)
+sysnet_domtrans_ifconfig(devicekit_power_t)
+
userdom_read_all_users_state(devicekit_power_t)
optional_policy(`
@@ -180,6 +235,10 @@ optional_policy(`
')
optional_policy(`
+ cron_initrc_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
@@ -203,17 +262,23 @@ optional_policy(`
optional_policy(`
hal_domtrans_mac(devicekit_power_t)
+ hal_manage_log(devicekit_power_t)
hal_manage_pid_dirs(devicekit_power_t)
hal_manage_pid_files(devicekit_power_t)
hal_dbus_chat(devicekit_power_t)
')
optional_policy(`
+ policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
policykit_read_reload(devicekit_power_t)
')
optional_policy(`
+ udev_read_db(devicekit_power_t)
+')
+
+optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
More information about the scm-commits
mailing list